Cryptnox SA
The Cryptnox FIDO2 Card is a versatile security key designed for passwordless and two-factor authentication. With a convenient card format, it easily connects via NFC to mobile devices and smart card readers, providing seamless access to platforms like Gmail, Dropbox, and Facebook. It supports FIDO2 and U2F protocols, ensuring strong anti-phishing protection. Certified for high-level security standards, it’s compatible with iOS, Android, Windows, and macOS. The card also doubles as an RFID MIFARE DESFire access badge, enhancing its functionality.
ORDERS TO THE EU SHIP DIRECTLY FROM THE EU – NO IMPORT DUTIES
€ 39.00
Tax included. Shipping calculated at checkout.
The Cryptnox FIDO card is a certified FIDO2 authenticator that enables secure website authentication as an additional physical second factor (2FA) or without passwords (Resident Login), if the site allows. No software installation is required.
It can be used with NFC on the Android mobile operating system, as well as on Microsoft Windows desktops with a smartcard reader. On mobile phones, correct positioning at the back is required—either in the middle or at the very top—depending on your device model. The card is natively supported out of the box by most browsers.
Websites supporting the FIDO standard include Google, Facebook, Twitter, Dropbox, Outlook, and many others. Current sites mostly allow usage of the Cryptnox FIDO card as 2FA, with direct passwordless login (Resident Login) being less commonly enabled. The card registration is specific to each online account, and the procedure differs from site to site. Look for specific instructions on their respective support pages.
Cryptnox FIDO cards can be natively used as a Security Key with iOS without additional software or drivers (a minimum of two cards is required). On Microsoft Windows, Cryptnox FIDO card authentication is available with Microsoft 365 Business Premium and a card reader.
Specifications: The card supports FIDO2 (CTAP2) and U2F (CTAP1) protocols. It communicates via NFC (ISO 14443) or contact with a compatible smartcard reader (ISO 7816). It is FIDO2 Level 1 certified as per the FIDO Alliance certification program. The card chipset and cryptographic module are Common Criteria EAL6+ and FIPS 140-2 Level 3 certified. Cryptnox is a member of the FIDO Alliance.
Configure your FIDO2 card with the Cryptnox FIDO2 Card Manager mobile application (iOS only). Easily set, test, and change your PIN, or reset your card to factory default if required.
Experience robust protection across operating systems and web platforms with passwordless or two-factor authentication. Prevent phishing attacks effectively with our certified FIDO2 technology.
Secure your Apple ID and Windows accounts effortlessly. Use the card for hassle-free online authentication with major platforms such as Google, Facebook, X, Dropbox and others. Fully compatible with both desktop and mobile browsers.
No software installation required. Simply tap the card on your smartphone or place it on your desktop’s card reader to authenticate securely instantly.
U2Fv2, FIDO2 version 2.1, certified Level 1. NFC ISO 14443, and ISO 7816 contact interfaces. Chip EAL6+ and FIPS 140-2 Level 3 certified.
Enhance your security setup with RFID badge capabilities, featuring Mifare DESFire EV1 & EV2 technology
with a 4K memory for versatile use in secure environments.
Smartly created that you can hide in the built-in USB cord at the back of the reader; Easily be carried as it is made just in the right size.
Brand: Cryptnox
Material: Plastic
Color: Black
Style: Modern
Certifications
The chipset and cryptographic module are certified EAL6+ as per the Common Criteria standards FIPS 140-2 Level 3 as per the NIST standards.
Communication Interfaces
• ISO/IEC 14443 (NFC Contactless)
• ISO/IEC 7816 (Contact)
Certification
• FIDO 2.1, Level 1
Note : higher certifications available on request
Characteristics
• U2Fv2, FIDO 2.0 and FIDO 2.1 standards
• NFCISO 14443 contactless and ISO 7816 contact interfaces
• EC Digital Signature (ECDSA) with NIST P256 (256R1) parameters
• 32 bits signature counter, reset to 0 upon authenticator reset
• Multiple accounts per Relying Party
• Resident keys credentials (64 credential slots)
• CredManagement commands
OPTIONS
• HmacSecret
• CredProtect
• CredBlob for Resident-Keys
• minPinLength: stores up to 4 authorized RPs
AAGUID
• 1dlb4e33-76al1-47fb-97a0-14b10d0933f1
• MIFARE DESFIREEV1&EV2
• Memory 4k
• iOS mobile application (PIN & configuration management)
It’s a Swiss-designed NFC smart card that combines two security functions on a single secure-element chip:
The two applets are logically firewalled inside the chip — each uses its own keys and memory space, so a compromise of one cannot reach the other. Firmware is designed in Switzerland; cards are programmed in Switzerland or Poland. The face carries the Cryptnox branding — for a blank, in-house-printable face, see the FIDO2 + MIFARE White PVC variant.
Both are FIDO2-certified and work over NFC. Key differences:
For pure web 2FA on a keyring, either works. For one credential that handles both web sign-in and office door access, this card combines them.
Any service that supports FIDO2, WebAuthn, or legacy U2F — which is now the vast majority of major online platforms:
If the service’s security settings show a “security key” or “passkey” registration option, this card will work. Registration is done by tapping the card on your phone’s NFC area or placing it on a contactless reader connected to your computer.
MIFARE DESFire EV2 is a widely-used enterprise contactless credential standard, and our cards are plain-vanilla DESFire chips with open AES key programmability. Compatibility is not universal: many readers accept standard DESFire cards once encoded with the right AES keys and application structure, but some access control systems are configured to only accept cards issued by specific vendors with proprietary overlays. We recommend testing a single card end-to-end with your specific reader + access control software before any larger rollout — or ask your systems integrator whether your stack allows third-party DESFire cards.
Phones: – iOS — any iPhone 7 or newer; Safari supports FIDO2 over NFC natively. – Android — Android currently supports only CTAP1 / U2F (FIDO1) for external NFC security keys, not the newer FIDO2 / CTAP2. Most major services (Google, Microsoft, GitHub, etc.) maintain CTAP1 backward compatibility, so the Cryptnox card works on the majority of mainstream sites as a second-factor authenticator on Android. The feature set is reduced — no passwordless or passkey-style sign-in — and CTAP1 implementations vary across servers, so it isn’t 100% guaranteed for every service. Test with your target service before relying on it.
To register on a supported phone, sign in to your account, go to Security settings → Security keys / Passkeys, click “Add security key,” and tap the card against your phone’s NFC area (typically the upper back). Registration takes 10–30 seconds per service.
Desktop / laptop: – Windows 10/11 — full FIDO2 support across all major browsers; tap on built-in NFC or use a contactless reader. – macOS — FIDO2 over NFC support varies by macOS version and browser. Test before relying on it for production. – Linux — Linux browsers expect FIDO2 authenticators to expose a HID interface, which contactless smart card readers do not. Use our open-source Cryptnox FIDO2 HID bridge — a small daemon that presents the card to the browser as an HID-FIDO device.
If your computer doesn’t have built-in NFC, we make two USB-C readers: the NFC Contactless Reader and the dual-slot Cryptnox Smartcard Reader. Both use the standard USB CCID interface — no Cryptnox-specific driver needed.
Cryptnox FIDO2 app (advanced features only): the free Cryptnox FIDO2 app (App Store / Play Store) is for advanced management — PIN changes, factory reset, and handling resident-key (discoverable) credentials stored on the card. It is not required for day-to-day use — registering the card with a service, signing in, and 2FA all work directly with any FIDO2-supporting browser or service, no app needed.
Replacing a card: keys are bound to the card’s secure element and never leave it, so cards cannot be cloned or migrated card-to-card. To replace a lost or retired card, register the new card on each account/service and delete the old card’s registration at that service. The new card creates its own fresh per-service keys; the old card’s registrations are revoked server-side. For high-stakes deployments, register a backup card on each account in advance so a lost primary doesn’t lock the user out.
